Mozilla Foundation Security Advisory 2010-43

Same-origin bypass using canvas context

Announced

July 20, 2010

Reporter

Vladimir Vukicevic

Impact

High

Products

Firefox, Thunderbird

Fixed in

Firefox 3.6.7

Thunderbird 3.1.1

Description

Mozilla developer Vladimir Vukicevic reported that
a canvas element can be used to read data from another site, violating
the same-origin policy. The read restriction placed on a canvas
element which has had cross-origin data rendered into it can be
bypassed by retaining a reference to the canvas element's context and
deleting the associated canvas node from the DOM.